Security UPDATE, July 30, 2003

==== This Issue Sponsored By ====

LearnKey Direct http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBde0AD

Ecora Software http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBdd0AC

1. In Focus: "Hacking" Contest and Demonstration Code

2. Security Risks - Remote Buffer Overrun in Witango Application Server - DoS in NT 4.0 - Multiple Buffer Overruns in Microsoft DirectX - Multiple Vulnerabilities in Microsoft SQL Server

3. Announcements - Exchange 2003: Do You Plan to Migrate or Wait? - Learn More About the Security Risks in Exchange 2003

4. Security Roundup - News: Researchers Crack Windows Passwords in Seconds - Feature: Protecting Your Payload - Feature: Sample SQL Firewall Products 5. Security Toolkit - Virus Center - FAQ: Why Do I Receive an Error on Startup That Says the System Can't Find System32.exe in My System32 Folder?

6. Event - New--Mobile & Wireless Road Show! 7. New and Improved - Lure Attackers with a Honeypot - Track Changes to AD and Group Policy - Submit Top Product Ideas

8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Notifying Users About Logon Credentials

9. Contact Us See this section for a list of ways to contact us.

FREE Network Security Report The FBI has identified 4000 ways a hacker can penetrate a network - even a well-protected network. They've issued a report on the top 20 vulnerabilities and how to close those doors to hackers. LearnKey Direct a leader in IT security training will give you the report FREE if you're in the US and one of the first 35 people to respond to this message. click here for online service http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBde0AD Or Call 877 288-2764

Editor's Note: We'd like your opinion about Security UPDATE! To improve the editorial quality of this email newsletter and determine the best delivery format, we need your feedback. Please take some time to answer our online survey. The survey gives you the opportunity to provide feedback in one online survey about all the Windows & .NET Magazine Network newsletters to which you subscribe. We appreciate your time, and we look forward to reading your comments. To answer the survey, go to http://websurveyor.net/wsb.dll/12237/EditorsEmail.htm

==== 1. In Focus: "Hacking" Contest and Demonstration Code ==== by Mark Joseph Edwards, News Editor, [email protected]

An interesting news story described a recent occurrence in Japan. The country's Ministry of Economy, Trade and Industry (METI) had scheduled a tournament in which students would compete against one another to exercise their computer security skills. Many small teams would try to penetrate the security of one another's computers while at the same time protecting their machines from intrusion. The defended machines were to use the Windows 2000 OS. Students were free to use other OSs as well in their attempts to breach security. The exercise sounds great to me. All teams would use their protection and penetration knowledge--and learn by observing the tactics used against them. However, the Japanese government canceled the contest after many Japanese citizens complained that such a tournament was the equivalent of promoting cybercrime. (I wonder whether those same people also think that teaching law-enforcement officers about the criminal mind will turn cops into criminals.) I think that the government might be limiting its chances of developing a better set of white-hat "hackers." In last week's Security UPDATE, I wrote about the Last Stage of Delirium Research Group, the Polish group that discovered the remote procedure call (RPC) buffer-overflow vulnerability that affects Windows Server 2003, Windows XP, Win2K, and Windows NT 4.0. The problem is serious because it lets intruders run the code of their choice on an unprotected system--and it affects many OSs. The group chose not to divulge technical details about the discovery at the time the vulnerability became public. I noted that the Last Stage of Delirium Research Group does routinely publish technical details along with code for problems it discovers. I recommended that because the group would eventually release demonstration code, users should patch their systems before a known exploit became available to the public. I thought users might have at least a few weeks for the patching process. However, another group published working demonstration code sooner. On Friday, July 25, Xfocus (which is based in China) published code that attackers can use to exploit the same vulnerability. The code, which appeared on mailing lists and on the group's Web site, is designed for demonstration against any of the affected OSs. When attackers launch the code against an unprotected system, the code gives them a remote command shell. Several security professionals worry that with working code now readily available, someone will use it to create a worm and release it on the Internet. That scenario certainly could occur. Patch your systems now or perform a workaround, such as blocking port 135 at your network borders or disabling Distributed COM (DCOM) by using dcomcnfg.exe. Also, spread the word about the vulnerability to business associates, family, and friends--any of whom might be using an affected system that isn't protected properly. The release of the exploit code was inevitable. As far as I know, no public notices provided Xfocus with specific details about the RPC problem, but the group might have gleaned more specific details from some source. However, Xfocus and other groups could easily test a system until they find a weakness--and develop working code from that point. Many companies currently frown on the release of demonstration code, even some companies that formerly released code but have ceased doing so. Nevertheless, such code releases will continue to occur as they have for the past decade--with the stakes increasingly higher. In any case, we should guard against attacks as best we can. Diligent knowledge gathering and action are required--and should lead to protection when the actions are adequate. We need to keep monitoring newsletters, mailing lists, and other information outlets--and acting on the knowledge. You're probably aware, for example, that Microsoft recently released three more security patches, one of which is critical and affects all Windows OSs. eEye Digital Security discovered the critical flaws, which involve Microsoft DirectX. An unchecked buffer lets intruders run a specially crafted MIDI file to run code of their choice on an unprotected system. You'll find patches linked through the section "Multiple Buffer Overruns in DirectX" in this edition of Security UPDATE. Be sure to patch your systems if necessary!

==== Sponsor: Ecora Software ====

Discover rogue machines and open ports on your network -- FREE How secure is your network? Want to quickly discover if there are any rogue machines or unauthorized open ports? Find out in minutes with Ecora's FREE utility, Ecora NetExplorer. Discover just about every type of device running within a specified IP range, giving you a complete, up-to-date inventory of your network. NetExplorer can also scan all TCP and UDP ports to close potential security holes before someone else finds them. Download this free utility now! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBdd0AC

==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected]

Remote Buffer Overrun in Witango Application Server NGSSoftware discovered that a buffer-overrun condition in Witango and Tango 2000 Application Server can result in remote compromise of the vulnerable host. If a malicious user passes a long cookie to Witango_UserReference, the saved return address is overwritten on the stack. Because Witango is installed as LocalSystem, any arbitrary code execution will run as SYSTEM. Witango has corrected this problem and recommends that affected customers download the latest build from its Web site. http://www.secadministrator.com/articles/index.cfm?articleid=39645

DoS in NT 4.0 Matt Miller and Jeremy Rauch of @stake discovered that a new vulnerability in Windows NT 4.0 can result in a Denial of Service (DoS) condition. If a malicious user passes a specially crafted request through an application to the affected function, the function can cause the system to free memory that the function doesn't own. If an application making the request to the function doesn't carry out any user-input validation and permits the specially crafted request to be passed to the function, the application passing the request could fail. Microsoft has released Security Bulletin MS03-029 (Flaw in Windows Function Could Allow Denial of Service) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39665

Multiple Buffer Overruns in Microsoft DirectX eEye Digital Security discovered that two buffer-overrun vulnerabilities in Microsoft DirectX can result in the execution of arbitrary code on the vulnerable computer. This vulnerability stems from a pair of flaws in all versions of quartz.dll, which lets Windows applications play MIDI music through a common interface. Microsoft has released Security Bulletin MS03-030 (Unchecked Buffer in DirectX Could Enable System Compromise) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39666

Multiple Vulnerabilities in Microsoft SQL Server Andreas Junstream of @stake discovered three new vulnerabilities in Microsoft SQL Server 2000, SQL Server 7.0, Microsoft SQL Server Desktop Engine (MSDE--in SQL Server 2000), and Microsoft Data Engine (MSDE) 1.0 (in SQL Server 7.0), the most serious of which can result in the execution of arbitrary code on the vulnerable computer. These vulnerabilities include named-pipe hijacking, named-pipe Denial of Service (DoS), and a SQL Server buffer overrun. Microsoft has released Security Bulletin MS03-031 (Cumulative Patch for Microsoft SQL Server) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39667

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Exchange 2003: Do You Plan to Migrate or Wait? Windows & .NET Magazine and Aelita Software would like to know about your organization's plans to migrate to Exchange Server 2003. Take our brief survey, "Windows & .NET Magazine: The State of Exchange Migration," and sign up to receive a free white paper titled, "Upgrade or Migrate? Deployment Options for Exchange 2000/2003." Give us your feedback today! http://www.zoomerang.com/survey.zgi?B5NXJHSXDYM487LFN42EGNHH Learn More About the Security Risks in Exchange 2003 Videotaped live at Microsoft TechEd 2003, this free archived Web seminar delivers an introduction to the new security features and enhancements of Exchange Server 2003, including the new security APIs that can minimize virus risk and spam traffic. Plus, you'll discover more about the future of the messaging industry and what's on the horizon in assessing risk. Register today! http://www.winnetmag.com/seminars/securityrisks

==== 4. Security Roundup ====

News: Researchers Crack Windows Passwords in Seconds Researchers from Switzerland have developed a scheme that lets them crack most Windows passwords in about 13 seconds, reducing the time it takes to break these codes by more than a minute and a half. The scheme enforces a growing concern in the security community that the way in which Microsoft encodes passwords in Windows is inherently weak, opening the door for cracking programs to use brute-force methods to test and break passwords. http://www.secadministrator.com/articles/index.cfm?articleid=39646

Feature: Protecting Your Payload The most important piece of application security is protecting and maintaining the integrity of application data--a major undertaking that requires security staff to work closely with DBAs and application developers. Guarding the data includes protecting against unauthorized use, theft, and poisoning of the data (injecting false information or compromising the integrity of the information), as well as managing privacy concerns and regulatory requirements. The data elements are almost always stored within relational databases such as Microsoft SQL Server. Therefore, taking extra security precautions around SQL Server databases is urgent. One of these precautions can be the installation of an SQL firewall. This article explains how SQL firewalls can enhance your application security and shows how you can implement them as part of an overall security program. http://www.secadministrator.com/articles/index.cfm?articleid=39440

Feature: Sample SQL Firewall Products SQL firewalls are newcomers to the world of content security and firewalls. Historically, most SQL firewalls have been internal solutions built on various firewall and proxy frameworks such as Windows Sockets (SOCKS). However, vendors have now shifted to appliance-based firewalls (firewalls packaged as standalone, hardware-based black boxes) because customers prefer plug-and-run security products that insert easily into the network. In this article, Ron Ben-Natan offers a sampling of SQL firewall products. http://www.secadministrator.com/articles/index.cfm?articleid=39449

==== Hot Release ====

==== 5. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

FAQ: Why Do I Receive an Error on Startup That Says the System Can't Find System32.exe in My System32 Folder? (contributed by John Savill, http://www.windows2000faq.com)

A. More than likely, your machine was infected by the system32.exe virus, which your antivirus software removed without removing the startup entry in the registry. To resolve this error, perform the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry subkey. 3. Select the entry "Explorer.exe C:\Windows\system32\system32.exe," then click Delete (the path for this registry entry might be slightly different on your machine, depending on where you installed Windows). 4. If you see a registry entry for cmd32.exe, remove it as well. 5. Click Yes to the confirmation dialog box.

If you can't find the registry entry I describe in the second step, review this FAQ for a list of other registry locations you can search.

==== 6. Event ====

New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! http://www.winnetmag.com/roadshows/wireless

==== 7. New and Improved ==== by Sue Cooper, [email protected]

Lure Attackers with a Honeypot KeyFocus released KFSensor 1.4, a honeypot-based Intrusion Detection System (IDS) that attracts and detects attackers by simulating vulnerable system services. Features include detailed logging, analysis of attacks, and multiple alerting mechanisms. Designed for ease of configuration and maintenance, the software can complement your existing security defense. The product supports Windows 2003/XP/2000/NT/Me/98. Contact London-based KeyFocus on its Web site. http://www.kfsensor.com

Track Changes to AD And Group Policy Small Wonders Software announced Active Administrator 3.0, which tracks changes made to Active Directory (AD) and Group Policy. New features include an AD audit log and a Group Policy history tracking function that lets you roll back to a previous version of a GPO without first performing a system-state backup restore. The software also provides Resultant Set of Policies (RSoP) for your Group Policy planning and self-repairing installations by using the Windows Installer service. The product supports Windows 2003/XP/2000. Contact Small Wonders Software at 407-647-4555 or [email protected]. http://www.smallwonders.com

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

==== 8. Hot Thread ====

Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums

Featured Thread: Notifying Users About Logon Credentials (Five messages in this thread)

A user writes that his company currently sends letters to notify new users about their logon credentials. He would like to make the communication paperless. He wants to know whether anyone has implemented a secure, efficient notification process. Lend a hand or read the responses. http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=61557

==== Sponsored Links ====

AutoProf Jerry Honeycutt Desktop Deployment Whitepaper http://ad.doubleclick.net/clk;5790077;8214395;s?http://www.AutoProf.com/Update_TextLinks_2003_06_23.html

CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support http://ad.doubleclick.net/clk;5930423;8214395;j?http://www.crossteccorp.com/w2kmag.htm

==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]